(19) 



J 



(12) 



(43) Date of publication: 

06.05.1999 Bulletin 1999/18 

(21) Application number: 98120404.3 

(22) Date of filing: 28.10.1998 



Europdisches Patentannt 
European Patent Office 
Office europ^en des brevets (11) EP 0 91 3 964 A2 

EUROPEAN PATErfT APPLICATION 

(51) lnt.CI.^: H04L9/26 



(84) Designated Contracting States: 


(72) Inventor: 


AT BE CH CY DE DK ES R PR GB GR IE IT LI LU 


Shimada, Michio, 


MCNLPT SE 


c/o NEC Corporation 


Designated Extension States: 


Tolcyo (JP) 


ALLTLVIMKROSi 






(74) Representative: 


(30) Priority: 31.10.1997 JP 314567/97 


VOSSIUS& PARTNER 




Slebertstrasse4 


(71) Applicant: NEC CORPORATION 


81675 IMQnchen (DE) 


Tolcyo (JP) 



(54) A method ol and an apparatus for generating internal crypto-lceys 



(57) To provide a method of generating internal 
crypto-keys to be set initially in a feedback-shift-regis- 
ters of a pseudo-random-sequence generator of a 
stream cipher system with sufficient security and suffi- 
ciently high speed as well, the method comprises: a 
step of outputting m sets of first conversion results, 
obtaining /-th set of the first conversion results by 
processing (/ - 1)-th set of the first conversion results 
with a first one-way-function; a step of outputting m sets 
of second conversion results; obtaining /-th set of the 
second conversion results by processing (/ - 1)-th sets 
of the second conversion results with a second one-way 
function; and a step of outputting y-th internal crypto-key 
by XORing /-th set of the first conversion results and {m 
- / + 1)-th set of the second conversion results. 
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Description 

[0001] The present invention relates to a method of 
and an apparatus for generating internal crypto-keys 
which are used as initial values to be set In feedback s 
registers of an pseudo-random-sequence generator for 
generating pseudo-random-numbers to be XORed 
(added according to exclusive OR logic) onto a data 
sequence recorded in a recording medium or to be 
transmitted in a communication system, for preventing a io 
third party from tapping the data sequence without per- 
mission. 

[0002] Cryptography called secret-key-cryptography 
can be classified into two types, cryptography called 
block ciphers and cryptography called stream ciphers. 75 
In the former ayptography, data of a fixed length, 64 
bits, for example, called the plain text is transformed into 
a data block called the cipher text according to a certain 
transformation algorithm. On the other hand, a 
sequence of pseudo-random-numbers called the key- 20 
stream is XORed onto a data stream called the plain 
text stream to be converted into a cipher-stream. 
[0003] As a method of generating a pseudo-random- 
sequence which is cryptographically secure, there is 
known a method making use of a one-way function such 2s 
as a public-key-cryptograph function. Here, the one-way 
function means a function f (x) which can be easily cal- 
culated from a variable x, but it is hardly possible to esti- 
mate the variable x from an output of the function / (x). 
[0004] FIG. 5 Is a block diagram illustrating a conf igu- so 
ration example of a conventional pseudo-random- 
sequence generator which generates the cryptographi- 
cally secure pseudo-random-sequence. 
[0005] Referring to FIG.5, an external key-data of n- 
bits is supplied to a first input terminal 405. A one-way 3$ 
function circuit 101 outputs an n-bW conversion result by 
processing n-bit output of a selector 201 with a certain 
one-way function (such as a public key function) accord- 
ing to a certain conversion parameter (such as a public 
key) supplied to a second input terminal 104. The LSB 40 
(Least Significant Bit) of the conversion result Is output 
from an output terminal 508 as a bit of the pseudo-ran- 
dom-sequence. 

[0006] With each dock pulse CLK supplied from a 
clock terminal 210. a register 202 outputs registered n- 45 
bit data to the selector 201 and newly registers the n-bit 
conversion result of the one-way function circuit 101. 
[0007] Only when the clock pulse CLK is supplied for 
the first to the register 202, a selection signal SEL sup- 
plied to the selector 210 through a selection terminal so 
21 1 is set at logic '0* for controling the selector 201 to 
output the external key-data supplied from the first input 
terminal 405 to the one-way function circuit 101, and 
aftenvards the selection signal SEL is turned to logic 'V 
so that the selector is controlled to select the output of ss 
the register 202 to be fed-back to the one-way function 
circuit 101. 

[0008] Thus, the pseudo-random-sequence is output 



bit-by-bit from the output terminal 508 in synchroniza- 
tion with the clock pulse CLK. 
[0009] The pseudo-random-sequence generator of 
FIG.5 is known to be cryptographically secure. How- 
ever, calculation of the oneway function takes compar- 
atively long time. 

[001 0] Therefore, a pseudo-random-sequence gener- 
ator consisting of a combination of several linear feed- 
back-sift-registers or nonlinear feedback-shift-registers 
is generally used for generating the key-stream of the 
stream cipher, when a high speed is required, having 
such configuration as illustrated in a block diagram of 
FIG. 6. 

[001 1 ] In tiie pseudo-random-sequence generator of 
FIG. 6. there are cornprised linear feedback-sift-regis- 
ters or nonlinear feedback-shifl-registers (hereinafter 
generically called the feedback-shift-registers) S^ to Sn. 
To each of the feedback-shift-registers, working as a 
sub-generator, an internal key K^ to K„ is set initially. At 
each dock, each of the feedback-shift-resisters is 
shifted by one bit outputting its LSB to a combination 
function F. and its MSB (Most Significant Bit) is gener- 
ated according to a certain feedback function from its 
registered bit sequence. The combination function F 
generates a key-stream bit by bit according to a certain 
combination function from outputs of the foedback-shift- 
registers S^ to S^. 

IP012] However, the key-stream generated making 
use of feedback-shift-registers, such as illustrated in 
FIG. 6. may sometimes be broken by a deciphering 
method called correlation attacks. So, various kinds of 
devices has been studied, whereof some examples are 
described in " Applied Cryptography, Second Edition: 
Protocols, Algorithms, and Source Code in C," by Bruce 
Schneier, published by John Wiley & Sons, Inc.. 1996, 
and as to the correlation attacks, there is an explanation 
in "Correlation- Immunity of Nonlinear Combining Func- 
tions for Cryptographic Applications'* by T. Siegentiialer, 
IEEE Transactions on Information Theory, Vol. lT-30, 
No. 5. 1984, for example. However, description of 
details of the pseudo-random-sequence generator itself 
or the correlation attacks is omitted, here. 
[P013] In any way, to be sufficientiy robust against 
ayptographic analysis such as the correlation attacks, 
sufficient numbers of sufffciently long-bit feedback-shift- 
registers shouki be used for generating the key-stream, 
which requires numbers of internal keys to be set to the 
feedback-shift-registors as their initial values. 
[001 4] On the other hand, bit-length of a secret crypto- 
key is usually limited practically, such as 64 bits, for 
example. Therefore, it is important for the pseudo-ran- 
dom-sequence generator consisting of feedback-shift- 
registers how to securely generate numbers of internal 
keys to be set thereto, from a secret-key given from 
external (hereinafter called the external key). 
[0015] As above mentioned, one or some internal 
keys may be estimated by the correlation attacks. 
Hence, when the internal keys are generated from a sin- 
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gle external key without sufficient care, all the internal 
keys may be easily estimated based on the broken 

internal keys. 

[001 6] Cryptographically secure internal keys may be 
obtained making use of a one-way function in the same 
way with generating the pseudo-random-sequence 
itself, by the pseudo-random-sequence generator of 
FIG. 5. for example. However, a demerit of obtaining the 
internal keys by way of the one-way function lies in that 
it takes too long time even for generating the internal 
keys once at the beginning of a cipher-stream. 
Because, the pseudo-random-sequence generator can- 
not but generate the pseudo-random-numbers bit by bit. 
Therefore, nxm clocks should be needed for generat- 
ing n sets of internal keys of m bits, for example, and the 
clock frequency cannot be made high because of com- 
paratively long calculation time of the one-way function. 
[0017] Therefore, a primary object of the present 
invention is to provide a method of and an apparatus for 
generating internal crypto-keys to be set initially in the 
feedback-shift-registers of a pseudo-random-sequence 
generator of the stream cipher system, with sufficient 
security and sufficiently high speed as welt. 
[0018] In order to achieve the object, a method 
according to the invention of generating internal crypto- 
keys from an external key comprises: 

a step of outputting m sets of first conversion 
results, each /-tii of the m sets of first conversion 
results being obtained by processing an (/ - 1)-th of 
the m sets of first conversion results with a first non- 
linear function and first of the m sets of first conver- 
sion results being obtained by processing a first 
part of the external key witii the first nonlinear func- 
tion, m being a positive integer more than one, / 
being a positive integer more than one and not 
more than m, and the first nonlinear function being 
a function wherein a variable giving a value of tiie 
function is difficult to be estimated from the value of 
the function; 

a step of outputting m sets of second conversion 
results, each /-tii of tiie m sets of second conver- 
sion results being obtained by processing an (/ - 1)- 
th of the m sets of first conversion results witii a 
second nonlinear function and first of tiie rn sets of 
second conversion results being obtained by 
processing a second part of the external key with 
the second nonlinear function, the second nonlin- 
ear function being a function wherein a variable giv- 
ing a value of the function is difficult to be estimated 
from tiie value of the function; and 
a step of outputting each y-th of m internal crypto- 
keys by combining a y-th of the m sets of first con- 
version results and an (m - y -f 1 )-th of tiie m sets of 
second conversion results according to a combin- 
ing function, / being a positive integer not more than 
m, so that each bit of the y-th of tiie m internal 
crypto-keys has XOR logic of corresponding bits of 



tiie Mh of the m sets of first conversion results and 
tiie (m - y -I- 1)-tii of tiie m sets of second conversion 
results, for example. 

5 [001 9] Each of the first nonlinear function and the sec- 
ond nonlinear function is preferably a one-way function 
wherein a variable giving a value of the one-way func- 
tion is substantially impossible to be estimated from tiie 
value of tiie one-way function. 

10 [0020] Therefore, by giving an extemal key of 2n bits, 
tiie apparatus of the invention can generates m sets of 
internal keys of n bits at once, that is. about n times 
faster tiian to generate tiie same number of internal 
keys by way of the pseudo-random-sequence generator 

15 of FIG. 5. wherein only an LSB is available at one clock. 
[0021] Further, even if a third party, who does not 
know the external key, might have succeeded to obtain 
a /c-th {k being 1 to m) internal key by some means, and 
to estimate a k-\h of the m sets of first conversion 

20 results and an (/n - + 1)-th of tiie /7i sets of second 
conversion results, other internal keys can be protected 
from the tiiird party with sufficient security. 
[Q022] The above method can be realized with an 
apparatus, for example, comprising: 

25 

a one-way-function circuit for outputting a conver- 
sion result by processing an input bit sequence witii 
a one-way function; 

a register for holding the conversion result output- 
30 ted from the one-way-function circuit and outputting 
the conversion result previously held in the register 
in synchronization with a clock signal; 
a selector for selecting erttier tiie extemal key or an 
output of tiie register according to a selection signal 
35 as tiie input bit sequence to be processed by the 
one-way-function circuit; 

a LIFO (Last-ln-First-Out) buffer wherein conver- 
sion results output from tiie one-way-function circuit 
are stacked in synchronization with tiie cfock signal 

40 when the LIFO buffer is controlled in a writing 
mode, and the conversion results stacked in the 
LIFO buffer are popped up in synchronization witti 
the clock signal when tiie LIFO buffer is controlled 
in a reading mode; and 

45 a combining circuit for outputting internal crypto- 
keys in synchronization witii tiie clock signal by 
combining outputs of the LIFO buffer and the one- 
way-function circuit. 

50 [0023] In the above apparatus, tiie LIFO buffer is con- 
trolled in tiie writing mode for first m clock pulses after 
initialization. At tiie first one clock, the external key is 
selected by the selector as tiie input bit sequence to be 
processed by tiie one-way-function circuit, and after- 

55 wards, the output of the register is selected, so tiiat m 
sets of conversion results are stacked in the LIFO buffer. 
Then, the UFO buffer is controlled In the reading mode 
for following m dock pulses, in order to generate m 
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internal aypto-keys by combining outputs of the one- 
way-function circuit and the LIFO buffer, clock by clock. 
[00241 TTie foregoing, further objects, features, and 
advantages of this invention will become apparent from 
a consideration of the following description, the 
appended claims, and, the accompanying drawings 
wherein the same numerals indicate the same or the 
con-esponding parts. 
[0025] In the drawings: 

FIG. 1 is functional block diagram illustrating an 
apparatus for generating internal crypto-keys 
according to a first embodiment of the invention; 
FIG. 2 is a functional block diagram illustrating the 
apparatus for generating the internal crypto-keys 
according to a second embodiment of the invention; 
FIG. 3 is a flowchart illustrating operational flow of 
the second embodiment of FIG. 2; 
FIG. 4 is a functional block diagram illustrating a 
third embodiment of the Invention; 
FIG. 5 is a block diagram illustrating a configuration 
example of a conventional pseudo-random- 
sequence generator; and 

FIG. 6 is a functional block diagram illustrating a 
configuration example of a pseudo-random- 
sequence generator having a plurality of feedback- 
shift-registers. 

[0026] Now. embodiments of the present invention will 
be described in connection with the drawings. 
[0027] FIG. 1 is a functional block diagram Illustrating 
an apparatus for generating internal crypto-keys 
according to a first embodiment of the invention. 
[0028] Refemng to FIG. 1 , the apparatus comprises a 
first cascade connection of a first to an m-th one-way- 
function circuit 101 1 to 101^ a second cascade con- 
nection of another first to another m-th one-way-func- 
tion circuit 1 02i to 102;„ and a first to an m-th n-bit XOR 
circuit 103i tolOS^n. 

[0029] Half n bits (upper half n bits, for example) of an 
external key-data of 2n bits are supplied to the first one- 
way-function circuit 1 01 1 of the first cascade connection 
through a first external-key input terminal 105, and the 
other n bits of the external key-data are supplied to the 
first one-way-function circuit 102i of the second cas- 
cade connection through a second external-key input 
terminal 107. 

[0030] In the first cascade connection, the first one- 
way-function circuit 101 1 outputs a conversion result of 
n bits by processing the first half n-bit data of the exter- 
nal key with a first one-way function according to a first 
conversion parameter (public key) supplied through a 
first public-key input terminal 104. and each Mh (101,-; / 
being 2 to m) of the second to the m-th one-way-func- 
tion circuit outputs a conversion result of n bits by 
processing an output of the (/ - 1 )-th one-way-function 
circuit 101/.^ with the first one-way function according to 
the first conversion parameter. 



(0031 ] In the same way, the first one-way-function cir- 
cuit 102^ of the second cascade connection outputs a 
conversion result of n bits by processing the other half 
n-blt data of the external key with a second one-way 

5 function according to a second conversion parameter 
(public key) supplied through a second public-key input 
terminal 106, and each /-th (102/; / being 2 to m) of the 
second to the m-th one-way-function circuit outputs a 
conversion result of n bits by processing an output of 

10 the(/- 1)-th one-way-function circuit 102/.i withthesec- 
ond one-way function according to the second conver- 
sion parameter, in the second cascade connection. 
[0032] Each /-th (i being 1 to m) of the first to m-th 
XOR circuit 103i to 103^ calculates an XOR bit 

IS sequence of n bits to be oir^ut as an /-th internal key 
through corresponding one (108/) of a first to an m-th 
output terminal 108i to 108^, from outputs of the /-th 
one-way-function circuit 101/ of the first cascade con- 
nection and the (m • / + 1)-th one-way-function circuit 

^ '^^m-h^ <^ the second cascade connection, so that 
each bit of the XOR bit sequence has XOR logic of cor- 
responding two bits of outputs of the Mh one-way-func- 
tion circuit 101/ and the (m - / -I- 1)-th one way-function 
circuit 102 ^./+i. 

25 [0033] The apparatus for generating internal crypto- 
keys of FIG. 1 according to the first embodiment is thus 
configured. Therefore, by giving an external key of 2n 
bits together with a first and a second conversion 
parameter (public key), the apparatus of FIG. 1 can gen- 

30 erates m sets of internal keys of n bits at once, that is. 
about n times faster than to generate the same number 
of internal keys by way of the pseudo-random-sequence 
generator of FIG. 5. wherein only an LSB is available at 
one dock. 

35 [0034] Further, even if a third party, who does not 
know the external key, might have succeeded to obtain 
a /c-th [k being 1 to m) internal key output from the k-th 
output terminal 108^ by some means, and to estimate 
outputs of the ^-th one-way-function circuit 101 /^ of the 

40 first cascade connection and Xhe{m•k + ^ )-th one-way- 
function circuit 1 0Zfjj.i^^^, other internal keys can be pro- 
tected from the third party. 

[0035] This is because the third party cannot trace but 
outputs of the /c-th to the m-th one-way-function circuit 

45 101 /f to 101 ;„ of the first cascade connection and (m • k 
+ 1)-th to m-th one-way-function circuit of the second 
cascade connection according to characteristic of the 
one-way function, even if he night have obtained the 
outputs of the k'\h one-way-function circuit 101/^ and 

50 the (m - /c + 1)-th one-way-function circuit 102;^./^^.^ 
Therefore, the third party cannot obtain but either of two 
inputs of the first to the m-th XOR circuit 103^ to 103;n 
except the /(-th XOR circuit 103/1^. which makes hardly 
possible to estimate other internal keys for the third 

55 party which knows neither the external key nor the inter- 
nal keys. 

[0036] Practically saying, it is very difficult for the third 
party to estimate the outputs of the /r-th one-way-func- 
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tion circuit 101 /f and the (m - /c + one-way-function 
circuit 102;„.^^i. even if he has succeeded to obtain the 
k'ft) Internal key. Therefore, even If more than one inter- 
nal keys be broken, it is impossible to estimate other 
Internal keys. 5 
[0037] In the embodiment of FIG. 1 , the same one- 
way-function circuits given with the same conversion 
parameter are described to be used in either of the first 
cascade connection or the second cascade connection. 
However, they may be different with each other and may io 
be given different conversion parameters with each 
other in either or both of the first and the second cas- 
cade connection, or on the contrary, one-way-function 
circuits which process their input bit sequences with the 
same one-way-function may be applied to all the one- is 
way-function circuits of the first and the second cascade 
connection, given with the same or different conversion 
parameters. 

[0038] The one-way-function circuits may be used 
cyclically so 
[0039] FIG. 2 is a functional block diagram illustrating 
the apparatus for generating the internal crypto-keys 
according to a second embodiment of the invention, 
having a first sub-generator comprising a first selector 
201 , a first one-way-function circuit 101 and a first reg- ss 
ister 202, a second sub-generator comprising a second 
selector 205, a second one-way-function circuit 102 and 
a second register 204, a LIFO (Last-ln-Rrst-Out) buffer 
203, and an XOR circuit 103. 

[0040] Each of the first and the second sub generator so 
has a similar configuration to the pseudo-random- 
sequence generator of FIG. 5. 
[0041 ] Half n bits of all external key of 2n bits are input 
to the first selector 201 through a first external-key input 
Input terminal 105 and the other n bits of the external 35 
key are input to tiie second selector 205 through the 
second external-key input terminal 107. The first one- 
way-function circuit 101 outputs a conversion result of n 
bits by processing an n-bit output of the first selector 
201 with a first one-way function according to a first con- 40 
version parameter (public key) supplied through a first 
public-key input terminal 104. 
[0042] The first register 202 holds the conversion out- 
put of the first oneway-function circuit 101 and outputs 
previously hekj data of n bits to the first selector 201 in 4S 
synchronization with a dock pulse CLK supplied 
through a clock terminal 210. 
[0043] The first selector 201 selects the n-bit output of 
the first register 202 when a selection signal SEL sup- 
plied through a selection signal input terminal 21 1 is at so 
logic 'V and selects the first half n bits of the external 
key supplied through the first external-key input terminal 
105 when the selection signal SEL is at logic '0*. as the 
n-bit output to be processed by the first one-way-func- 
tion circuit 101. 55 
[0044] In the same way, the second one-way-function 
circuit 102 outputs a conversion result of n bits by 
processing an n-bit output of the second selector 205 



with a second one-way function according to a second 
conversion parameter (public key) supplied through a 
second public-key input terminal 106. The second regis- 
ter 204 holds the conversion output of the second one- 
way-function circuits 102 and outputs previously held 
data of n bits to the second selector 205, in synchroni- 
zation with the dock pulse CLK. The second selector 
205 selects tiie n-bit output of the second register 204 
when the selection signal SEL is at logic *V and selects 
the other n bits of the external key supplied through the 
second external-key input terminal 107 when the selec- 
tion signal SEL Is at logic '0', as the n-bit output to be 
processed by the second one-way-function drcuit 102. 
[0045] The LIFO buffer 203, comprising a memory 
and an address counter, initializes the address counter 
when tine dock pulse CLK is supplied during a control 
signal CLR supplied through a control terminal 212 is at 
logic 'O*. 

[0046] When the control signal CLR is at logic '1 ' and 
a read^vrite signal R/W supplied through a read^ite 
terminal 213 is at logic '0*. ttie LIFO buffer stores tiie n- 
bH output of the second one-way-function circuit 102 in 
synchronization with tiie clock pulse CLK at an address 
indicated by tiie address counter, incrementing tiie 
address counter, and tiie LIFO buffer outputs n-bit data 
of an address indicated by the address counter to the 
XOR circuit 108 in synchronization with tiie clock pulse 
CLK decrementing the address counter, when botii the 
read/write signal R/W and the control signal CLR are at 
logic 'V, 

[0047] The XOR circuit 103 calculates an XOR bit 
sequence of n bits to be output as an internal key 
ttirough an output terminal 108, from outputs of the first 
one-way-function drcuit 101 and the LIFO buffer 203, 
so tiiat each bit of the XOR bit sequence has XOR logic 
of corresponding two bits of the n-bit outputs of the first 
one-way-function circuit 101 and the LIFO buffer 203. 
[0048] Now, referring to a flowchart of FIG. 3, opera- 
tion of the second embodiment of FIG. 2 is described. 
[0049] Supplying each half of an external key of 2n 
bits to respective one of tiie first and tiie second exter- 
nal-key input terminal 105 and 107, and the first and tiie 
second conversion parameters to the first and tiie sec- 
ond public-key input terminal 104 and 106, respectively, 
the control signal CLR of logic '0* is supplied to the LIFO 
buffer 203 for initializing the LIFO buffer 203 witii the 
first clock pulse CLK (at step 310). Then tiie LIFO buffer 
203 is controlled In a writing mode by turning the control 
signal CLR to logic 'V and supplying the read/Write sig- 
nal R/W of logic '0' (at step 320). 
[0050] Then the second selector 205 is controlled to 
select the half bits of tiie external key supplied tiirough 
tiie second external-key Input terminal 205 by supplying 
tiie selection signal SEL of logic *0', and one clock pulse 
CLK is supplied (at step 330) to the second register 204 
and the LIFO buffer 203. Then, turning the selection sig- 
nal to logic 'V for controlling the second selector 205 to 
select n-bit outputs of the second register 204. and m - 
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1 Clock pulses CLK are supplied to the second register 
204 and the LIFO buffer 203 (at step 340). 
[0051 ] Thus, m sets of conversion results of n bits of 
the second one-way-function circuit 102 are stored in 
the LIFO buffer 203. s 
[0052] Then, the read/ write signal R/W is turned to 
logic '1' for controlling the LIFO buffer 203 into a reading 
mode (at step 350), and the selection signal SEL of 
logic '0' is supplied for controlling the first selector 201 to 
select the other half of the external key supplied to the io 
first external-key input terminal 105 at the next clock 
pulse CLK (at step 360). 

[0053] Then, turning the selection signal SEL to logic 
'1 ' for controlling the first selector 201 to select n-bit out- 
puts of the first register 202, m - 1 dock pulses CLK are is 
supplied to the first register 202 and the LIFO buffer 203 
(at step 370). 

[0054] Thus controlling the apparatus of FIG. 2, m 
sets of internal keys of n bits are output from the output 
terminal 108 in synchronization with the clock pulse 20 
CLK set by set at step 360 and step 370, and the inter- 
nal keys having the same security with the internal keys 
generated by the first embodiment of FIG. 1 can be 
obtained with a far simpler configuration than the first 
embodiment and with only two times calculation time. 25 
[0055] FIG. 4 is a functional block diagram illustrating 
a third embodiment of the invention. In the third embod- 
iment, a single /7-bit external key is supplied to an exter- 
nal-key input terminal 405 together with a conversion 
parameter supplied to a public-key input tenminal 104. 30 
The LIFO buffer 203 is controlled in the writing mode for 
the first m clock pulses CLK after initialization and the 
conversion results of a single one-way-function circuit 
101 is buffered in tiie LIFO buffer 203, in a similar way 
with the second embodiment of FIG. 2. For the following 35 
m dock pulses CLK, the LIFO buffer 203 is set in the 
reading nxxle, and tiie output of the LIFO buffer 203 is 
XORed with the conversion result of tiie one-way-func- 
tion circuit 101 by the XOR circuit 103 clock by dock to 
be output as each of the m sets of the internal keys. 4o 
[0056] As above described, tiie apparatus of FIG. 4 is 
equivalent to the apparatus of FIG. 2 on condition that 
the same n-bit external keys are supplied to the first and 
the second external-key input terminal 105 and 107, 
and the first and the second one-way-function drcuit 45 
101 and 102 output conversion results by processing 
the output of respective selectors 201 and 205 with the 
same one-way function according to the same conver- 
sion parameters, in the second embodiment of FIG. 2. 
Therefore, duplicated explanation is omitted. so 
[0057] However, either or both the external key and 
the conversion parameter to be supplied to the third 
embodiment may be changed for the first m docks and 
for the following m clocks, of cause. 
[0058] According to the third embodiment of FIG 4, the ss 
second one-way-function drcuit 102, tiie second regis- 
ter 204 and tiie second selector 205 can be further 
economized conpared to the second embodiment of 



FIG. 2. 

[0059] Heretofore, internal keys of r?-bit lengtii are 
described to be generated from an external key of 2n- 
bits or n bits. However, when bit-lengtti of the given 
external key is shorter, necessary number of bits having 
any logic may be supplemented, or, a part of outputs of 
tiie output terminal 108 or the IO81 to 108;„ may be 
used as tiie internal keys, when bit-lengtii of the 
required internal keys is shorter. Further, the XOR dr- 
cuit 103, or 103^ to 103^ may be replaced with any 
appropriate combining functions. 
[0060] Still further, the one-way-function circuits 101 . 
102, IOI1 to 101^. or 102i to 102;„ may be replaced 
with non-linear function circuits when required security 
is not so high, on condition that inverse predklion is suf- 
ficiently difficult In tiie non-linear function drcuits. 

Claims 

1. A method of generating internal crypto-keys to be 
set as initial values in feedback registers of an 
pseudo-random-sequence generator of a stream 
cipher system from an external key; the mettiod 
comprising: 

a step of oulputting m sets of first conversion 
results, each /-tii of tiie m sets of first conver- 
sion results being obtained by processing an (/ 
- 1)-tii of the m sets of first conversion results 
with a first nonlinear function and a first of tiie 
m sets of first conversion results being 
obtained by processing a first part of the exter- 
nal key with tiie first nonlinear function, m 
being a positive integer more than one, / being 
a positive integer more than one and not more 
than m, and the first nonlinear function being a 
function wherein a variable giving a value of the 
function is difficult to be estimated from tiie 
value of the function: 

a step of outputting m sets of second conver- 
sion results, each /-th of ttie m sets of second 
conversion results being obtained by process- 
ing an (/ - 1)-th of the m sets of first conversion 
results witii a second nonlinear function and a 
first of the m sets of second conversion results 
being obtained by processing a second part of 
the external key with the second nonlinear 
function, the second nonlinear function being a 
function wherein a variable giving a value of tiie 
function is difficult to be estimated from the 
value of the function; and 
a step of outputting each y-th of m internal 
crypto-keys by combining an y-th of the m sets 
of first conversion results and an (m - y + 1)-th 
of the m sets of second conversion results 
according to a combining function. } being a 
positive integer not more than m. 
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A method of generating internal crypto-l«ys as 
recited in claim 1; wherein at least one of the first 
nonlinear function and the second nonlinear func- 
tion is a one-way function wherein a variable giving 
a value of the one-way function is substantially 5 
Impossible to be estimated from the value of the 
one-way function. 

A method of generating internal crypto-keys as 
recited in dalm 1 or 2 wherein each bit of the y'-th of 10 
the m internal crypto-keys has XOR (exclusive OR) 
logic of corresponding bits of the y-th of the m sets 
of first conversion results and the (m - y + 1)-th of 
the m sets of second conversion results. 

IS 

An apparatus for generating internal crypto-keys to 
be set as initial values in feedback registers of an 
pseudo-random-sequence generator of a stream 
cipher system from an external key; the apparatus 
comprising: 20 

a first cascade connection of m one-way-func- 
tion circuits (101 1 to 101^). a first one-way- 
function circuit (1 01 1) of the first cascade con- 
nection outputt'ng a conversion result by 2S 
processing a first part of the external key with a 
first one-way-function and each /-th one-way- 
function circuit of the first cascade connection 
outputting a conversion result by processing an 
output of an (/ - 1)-th one-way-function circuit of so 
the first cascade connection with the first one- 
way-function, m being a positive integer more 
than one, / being a positive integer more than 
one and not more than m, and the first one- 
way-function being a function wherein a varia- 3S 
ble giving a value of the function is substantially 
impossible to be estimated from the value of 
the function; 

a second cascade connection of m one-way- 
function circuits (102^ to 102^), a first one- 40 
way-function circuit (102^) of the second cas- 
cade connection outputting a conversion result 
by processing a second part of the external key 
with a second one-way-function and each Mh 
one-way-function circuit of the second cascade 45 
connection outputting a conversion result by 
processing an output of an (/ - 1)-th one-way- 
function circuit of the second cascade connec- 
tion with the second one-way-function, the sec- 
ond one-way-function being a function wherein so 
a variable giving a value of the function is sub- 
stantially impossible to be estimated from the 
value of the function; and 
m corribining function (103i to 103^), each y-th 
of the m combining function outputting y-tii of m ss 
internal crypto-keys by combining outputs of a 
y-tii one-way-function circuit of tiie first cascade 
connection and an (m - y + 1)-th one-way-func- 



tion circuit of the second cascade connection, y 
being a positive integer not more than m. 

5. An apparatus for generating internal crypto-keys to 
be set as Initial values in feedback registers of an 
pseudo-random-sequence generator of a stream 
cipher system from an external key; the apparatus 
comprising: 

a first one^y-function circuit (101) for output- 
ting a conversion result by processing an input 
bit sequence with a first one-way function, the 
first one-way-function being a function wherein 
a variable giving a value of the function is sub- 
stantially impossible to be estimated from the 
value of the function; 

a first register (202) for holding the conversion 
result outputted from the first one-way-function 
circuit (101) and outputting tiie conversion 
result previously held in the first register (202) 
in synchronization with a clock signal; 
a first selector (201) for selecting either a first 
part of the external key or an output of the first 
register (202) according to a selection signal as 
the irput bit sequence to be processed by the 
first one-way-function circuit (101); 
a second one-way-function circuit (102) for out- 
putting a conversion result by processing an 
input bit sequence with a second one-way 
function, the second one-way-function being a 
function wherein a variable giving a value of the 
function is substantially impossible to be esti- 
mated from the value of the function; 
a second register (204) for holding the conver- 
sion result outputted from the second one-way- 
function circuit (102) and outputting the conver- 
sion result previously held in the second regis- 
ter (204) in synchronization with the clock 
signal; 

a second selector (205) for selecting either a 
second part of the external key or an output of 
the second register (205) according to the 
selection signal as the input bit sequence to be 
processed by the second one-way-function cir- 
cuit (102); 

a LIFO (Last-In-First-Out) buffer (203) wherein 
conversion results outputted from the second 
one-way-function circuit (102) are stacked in 
synchronization with the dock signal when the 
LIFO buffer is controlled In a writing mode, and 
the conversion results stacked in the LIFO 
buffer (203) are popped up in synchronization 
with the clock signal when tiie LIFO buffer 
(203) is controlled in a reading mode; and 
a combining drcuit (103) for outputting internal 
crypto-keys in synchronization with tiie clock 
signal by combining outputs of tiie LIFO buffer 
(203) and the first one-way-function circuit 
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(101). 

An apparatus for generating internal crypto-keys to 
be set as initial values in feedback registers of an 
pseudo-random-sequence generator of a stream s 
cipher system from an extemal key; the apparatus 
comprising: 

a one-way-function circuit (101) for oulputting a 
conversion result by processing an input bit io 
sequence with a one-way function, the one- 
way-function being a function wherein a varia- 
ble giving a value of the function is substantially 
impossible to be estimated from the value of 
the function; ts 
a register (202) for holding the conversion 
result outputted from the one-way-function cir- 
cuit (101) and outputting the conversion result 
previously heki in the register (202) in synchro- 
nization with a clock signal; 20 
a selector (201) for selecting either the external 
key or an output of the register (202) according 
to a selection signal as the input bit sequence 
to be processed by the one-way-function circuit 
(101); 25 
a LIFO buffer (203) wherein conversion results 
output from the one-way-function circuit (102) 
are stacked in synchronization with the clock 
signal when the LIFO buffer is controlled in a 
writing mode, and the conversion results so 
stacked in the LIFO buffer (203) are popped up 
in synchronization with the clock signal when 
the LIFO buffer (203) is controlled in a reading 
nrKXie; and 

a combining circuit (103) for outputting internal 35 
crypto-keys in synchronization with tiie clock 
signal by combining outputs of the LIFO buffer 
(203) and the one<way-function circuit (101). 

An apparatus for generating internal crypto-keys as 40 
recited in claim 5; wherein each bit of an internal 
crypto-key output by the combining circuit has XOR 
logic of corresponding bits of outputs of the first 
one-way-function circuit (101) and the LIFO buffer 
(203). 45 

An apparatus for generating internal crypto-keys as 
recited in claim 6; wherein each bit of an internal 
crypto-key output by the combining circuit has XOR 
logic of coH'esponding bits of outputs of the one- so 
way-function circuit (101) and the LIFO buffer (203). 
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